Fugue today announced it has extended its eponymous platform for securing cloud environments to include container runtime environments.
Josh Stella, Fugue’s CEO, says it’s more cost effective for organizations to employ a platform they are already using to secure virtual machines running in those environments, rather than acquiring a separate platform.
Most IT teams will be running monolithic applications in the cloud alongside microservices-based applications, built using containers, for years to come, says Stella.
Specifically, Fugue provides security and compliance tools for managed container services offered by Amazon Web Services (AWS) and Microsoft Azure.
According to the Docker Benchmark, defined by the Center for Internet Security (CIS), the Fugue platform provides continuous configuration visibility, security checks and compliance reporting to enable IT teams to run policy checks against IT infrastructure that has been provisioned as code.
As is the case in most virtual machine deployments, Stella says the bulk of container security issues IT organizations encounter can be traced to misconfigurations. The Fugue platform ensures infrastructure is configured correctly by checking it against either the CIS Docker Benchmark or a set of additional custom rules, defined by IT security teams, using the Open Policy Agent (OPA) software developed by the Cloud Native Computing Foundation (CNCF).
Fugue also checks for compliance with a wide variety of standards and regulations, including the General Data Protection Rule (GDPR), Payment Card Industry Data Security Standard (PCI DSS) and the Healthcare Industry Portability and Accountability Act (HIPAA).
The company also provides access to a Fugue Best Practices framework to protect against advanced misconfiguration exploits involving, for example, complex identity and access management (IAM) vulnerabilities. There’s also a cloud security posture management (CSPM) platform that provides access to a data warehouse for analyzing data collected by both Fugue and third-party security tools.
Of course, container runtimes are only one aspect of container security. IT organizations need to craft a set of DevSecOps best practices that span everything from securing code as it is written and encapsulated to the hosts on which those containers are deployed. In many cases, the adoption of containers requires IT teams to shift responsibility for application security further left toward developers. The challenge now is making sure those developers have access to the tools needed to assume that responsibility.
In the meantime, most of the breaches involving containers thus far have involved cybercriminals using containers to run cryptojacking malware on hosts to mine digital currencies. While many IT staff view such efforts as the digital equivalent of a nuisance crime, those breaches indicate cybercriminals already know how to compromise container environments. With more digital business transformation initiatives revolving around container platforms, it’s now only a matter of time before container breaches become a lot more impactful.